announce  

Messages by Thread

• [ANNOUNCE] Apache Fory 0.16.0 released Shawn Yang
• [ANNOUNCE] Apache Kafka 4.1.2 Andrew Schofield
• Fwd: [ANNOUNCE] Apache Arrow Java 19.0.0 released Jean-Baptiste Onofré
• [ANNOUNCE] Apache Seatunnel 2.3.13 released lidongdai
• [ANNOUNCE] Apache Grails 7.0.9 James Daugherty
• CVE-2026-28563: Apache Airflow: DAG authorization bypass Rahul Vats
• CVE-2026-26929: Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata Rahul Vats
• CVE-2026-28779: Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications Rahul Vats
• CVE-2026-30911: Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization Rahul Vats
• [ANNOUNCE] Apache Pekko Connectors 1.3.0 released PJ Fanning
• [ANN] Apache Maven Daemon 1.0.4 released Tamás Cservenák
• [ANNOUNCE] Apache PDFBox 2.0.36 released Andreas Lehmkühler
• [ANNOUNCE] Apache Airflow 2.11.2 Released Jarek Potiuk
• [ANNOUNCE] Apache Airflow Providers prepared on 2026-03-09 are released Vincent Beck
• CVE-2025-54920: Apache Spark: Spark History Server Code Execution Vulnerability Holden Karau
• CVE-2025-60012: Apache Livy: Restrict file access György Gál
• CVE-2025-66249: Apache Livy: Unauthorized directory access György Gál
• [ANN] Apache Maven 3.9.14 released Tamás Cservenák
• [ANNOUNCE] Apache Airflow 3.1.8 Released Rahul Vats
• [ANNOUNCE] Apache Gluten 1.6.0 released Hongze Zhang
• [ANNOUNCE] Apache Pekko Management 1.2.1 released PJ Fanning
• [ANN] Apache Tomcat Native 2.0.14 released Mark Thomas
• [ANN] Apache Tomcat Native 1.3.7 released Mark Thomas
• CVE-2026-23907: Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code Tilman Hausherr
• [ANNOUNCE] Apache PDFBox 3.0.7 released Andreas Lehmkühler
• [ANN] Apache Sling 14 Released Stefan Seifert
• CVE-2026-25604: Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass Jarek Potiuk
• CVE-2026-24015: Apache IoTDB: Insecure Default Configuration Vulnerability Haonan Hou
• CVE-2026-24713: Apache IoTDB: JEXL Expression Injection Vulnerability Haonan Hou
• CVE-2025-64152: Apache IoTDB: Path Traversal Vulnerability Haonan Hou
• CVE-2025-55017: Apache IoTDB: Path Traversal Vulnerability Haonan Hou
• CVE-2025-69219: Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator Jarek Potiuk
• [ANNOUNCE] Apache Grails 7.0.8 James Fredley
• [ANNOUNCE] Apache Commons Logging 1.3.6 Gary Gregory
• [ANNOUNCE] Apache Storm 2.8.4 Released Rui Abreu
• [ANNOUNCE] Release Apache DolphinScheduler 3.4.1 wenjun
• CVE-2026-24308: Apache ZooKeeper: Sensitive information disclosure in client configuration handling Andor Molnar
• CVE-2026-24281: Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager Andor Molnar
• [ANNOUNCEMENT] HttpComponents Core 5.4.2 GA released Oleg Kalnichevski
• [ANN] Apache Maven 3.9.13 released Tamás Cservenák
• [ANNOUNCE] Apache Pulsar C# Client DotPulsar 5.2.2 released David Jensen
• [ANNOUNCE] Apache Iceberg Go Release v0.5.0 Matt Topol
• [ANNOUNCE] Apache Accumulo ClassLoader Extras 1.0.0 Christopher
• [ANNOUNCE] Apache IoTDB 1.3.7 released Haonan Hou
• [ANNOUNCE] Apache IoTDB 2.0.7 released Haonan Hou
• [ANNOUNCE] Apache Airflow Providers prepared on 2026-03-03 are released Jarek Potiuk
• [ANNOUNCE] Apache Solr 10.0.0 released Anshum Gupta
• [ANNOUNCE] Apache Jackrabbit Oak 1.92.0 Julian Reschke
• CVE-2025-66168: Apache ActiveMQ, Apache ActiveMQ All Module, Apache ActiveMQ MQTT Module: MQTT control packet remaining length field is not properly validated Christopher L. Shannon
• CVE-2026-27446: Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation Justin Bertram
• Apache Airflow Providers prepared on 2026-02-26 are released Jarek Potiuk
• CVE-2025-59059: Apache Ranger: Remote Code Execution Vulnerability in NashornScriptEngineCreator Velmurugan Periasamy
• CVE-2025-59060: Apache Ranger: Hostname verification bypass in NiFiRegistryClient and NifiClient Velmurugan Periasamy
• [ANNOUNCE] Apache Artemis 2.52.0 Released Justin Bertram
• [ANNOUNCE] Apache Fluss 0.9.0-incubating released yuxia luo
• [ANNOUNCE] Apache Ranger 2.8.0 released Madhan Neethiraj
• [ANNOUNCE] Apache ShardingSphere 5.5.3 available Longtao Jiang
• [ANNOUNCE] Release Apache Kvrocks 2.15.0 hulk
• [ANNOUNCE] Apache Pulsar C# Client DotPulsar 5.2.1 released David Jensen
• [ANNOUNCE] Apache NiFi NAR Maven Plugin 2.3.0 Released Pierre Villard
• [ANNOUNCE] Apache Arrow nanoarrow 0.8.0 Released Dewey Dunnington
• [ANNOUNCE] Apache Wayang 1.1.1 released Mads Sejer
• [ANNOUNCE] OpenNLP 3.0.0-M1 released Richard Zowalla
• [ANNOUNCE] Apache NetBeans 29 Released Eric Barboni
• CVE-2026-23984: Apache Superset: SQLLab Read-Only Bypass on PostgreSQL Daniel Gaspar
• CVE-2026-23983: Apache Superset: Sensitive Data Exposure via REST API (disabled by default) Daniel Gaspar
• CVE-2026-23982: Apache Superset: Improper Authorization in Dataset Creation Allows Access Control Bypass Daniel Gaspar
• CVE-2026-23980: Apache Superset: Improper Neutralization of Special Elements used in a SQL Command Daniel Gaspar
• CVE-2026-23969: Apache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering Daniel Gaspar
• CVE-2024-56373: Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information Jarek Potiuk
• CVE-2025-27555: Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli Jarek Potiuk
• [ANNOUNCE] Apache Pulsar Helm Chart version 4.5.0 Released Lari Hotari
• [ANN] Apache Syncope 4.1.0-M0 Francesco Chicchiriccò
• [ANNOUNCE] Apache Airflow 2.11.1 and Fab provider 1.5.4 Released Jarek Potiuk
• [ANNOUNCE] Apache Pulsar 4.1.3 released Lari Hotari
• [ANNOUNCE] Apache Pulsar 4.0.9 released Lari Hotari
• https://camel.apache.org/security/CVE-2026-23552.html: CVE-2026-23552: Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Andrea Cosentino
• https://camel.apache.org/security/CVE-2026-25747.html: CVE-2026-25747: Apache Camel: Deserialization of Untrusted Data in Camel LevelDB Andrea Cosentino
• [ANNOUNCE] Apache ActiveMQ 6.2.1 has been released! Jean-Baptiste Onofré
• [ANNOUNCE] Apache Airflow Helm Chart version 1.19.0 Released Jedidiah Cunningham
• [ANNOUNCE] Apache Camel 4.18.0 (LTS) Released Gregor Zurowski
• [SECURITY] CVE-2026-24733 Apache Tomcat - Security constraint bypass with HTTP/0.9 Mark Thomas
• [SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass Mark Thomas
• [SECURITY] CVE-2025-66614 Apache Tomcat - Client certificate verification bypass due to virtual host mapping Mark Thomas
• [ANNOUNCE] Apache Commons FileUpload 2.0.0-M5 Gary Gregory
• [ANNOUNCE] Apache Kafka 4.2.0 Christo Lolov
• [ANNOUNCE] Apache Arrow 23.0.1 released Raúl Cumplido
• CVE-2026-25087: Apache Arrow: Potential use-after-free when reading IPC file with pre-buffering Antoine Pitrou
• CVE-2026-25903: Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates David Handermann
• [ANNOUNCE] Apache Pulsar C# Client DotPulsar 5.2.0 released David Jensen
• [ANNOUNCE] Apache Pulsar 3.0.16 released Lari Hotari
• [ANNOUNCE] Apache Grails Spring Security 7.0.1 Mattias Reichel
• [ANNOUNCE] Apache Grails Quartz Plugin 4.0.1 James Daugherty
• [ANNOUNCE] Apache Grails Redis Plugin 5.0.1 James Daugherty
• [ANNOUNCE] Apache NiFi 2.8.0 Released Pierre Villard
• [ANNOUNCE] Apache ActiveMQ 5.19.2 has been released! Jean-Baptiste Onofré
• [ANNOUNCE] Apache Karaf runtime 4.4.10 has been released! Jean-Baptiste Onofré
• [ANNOUNCE] Apache Camel 4.14.5 (LTS) Released Gregor Zurowski
• [ANNOUNCEMENT] HttpComponents Core 5.4.1 GA released Oleg Kalnichevski
• [ANNOUNCE] Apache Artemis 2.51.0 Released Domenico Francesco Bruscino
• [ANNOUNCE] Apache Camel 4.10.9 (LTS) Released Gregor Zurowski
• [ANNOUNCE] Release Apache Hop 2.17.0 Bart Maertens
• CVE-2025-33042: Apache Avro Java SDK: Code injection on Java generated code Ryan Skraba
• [ANNOUNCE] Apache Fesod (Incubating) 2.0.1-incubating released Shuxin Pan
• [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan Mark Thomas
• [ANN] End of support for Apache Tomcat Native 1.3.x Mark Thomas
• [ANN] Apache Tomcat Native 1.3.6 released Mark Thomas
• [ANN] Apache Tomcat Native 2.0.13 released Mark Thomas
• [ANN] Apache Struts IntelliJ IDEA plugin ver. 253.18970.1 Lukasz Lenart
• [ANNOUNCE] Apache Fory 0.15.0 released Shawn Yang
• [ANNOUNCE] Apache Druid 36.0.0 release Zoltan Haindrich
• CVE-2026-23906: Apache Druid: Authentication Bypass via LDAP Anonymous Bind Karan Kumar
• CVE-2026-24343: Apache HertzBeat: Uncontrolled Resource Consumption via Crafted XPath Expressions Qingran Zhao
• CVE-2026-24098: Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors Ephraim Anierobi
• CVE-2026-22922: Apache Airflow: Airflow externalLogUrl Permission Bypass Ephraim Anierobi
• CVE-2026-23901: Apache Shiro: Brute force attack possible to determine valid user names Lenny Primak
• CVE-2026-23903: Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems Lenny Primak
• [ANNOUNCE] Apache ShardingSphere ElasticJob-3.0.5 available Longtao Jiang
• [ANNOUNCE] Apache Traffic Server 10.1.1 Release Chris McFarlen
• [ANNOUNCE] Apache Flink Agents 0.2.0 released Xuannan Su
• [ANNOUNCE] Apache APISIX 3.15.0 has been released Abhishek Choudhary
• [ANNOUNCE] Apache Daffodil 4.1.0 Released Steve Lawrence
• [ANNOUNCE] Apache YuniKorn v1.8.0 released Wilfred Spiegelenburg
• [ANNOUNCE] Apache Airflow 3.1.7 Released Ephraim Anierobi
• [ANN] Apache Syncope 3.0.16 Francesco Chicchiriccò
• [ANNOUNCE] Apache TomEE 10.1.4 Markus Jung
• [ANN] Apache Syncope 4.0.4 Francesco Chicchiriccò
• [ANNOUNCE] Apache Teaclave™ TrustZone SDK 0.8.0 Released Zehui Chen
• [ANNOUNCE] Apache StormCrawler 3.5.1 released Richard Zowalla
• CVE-2026-24735: Apache Answer: Revision API Improper Access Control leads to Information Disclosure Enxin Xie
• [ANNOUNCE] Apache Airflow Providers prepared on 2026-01-27 are released Vincent Beck
• [ANNOUNCE] Apache Pulsar C# Client DotPulsar 5.1.2 released David Jensen
• CVE-2026-23795: Apache Syncope: Console XXE on Keymaster parameters Francesco Chicchiriccò
• CVE-2026-23794: Apache Syncope: Reflected XSS on Enduser Login Francesco Chicchiriccò
• [ANNOUNCE] Apache Grails 7.0.7 James Fredley
• [ANNOUNCE] Apache SIS 1.6 Release Martin Desruisseaux
  • [ANNOUNCE] Apache SIS 1.6 Release Martin Desruisseaux
• [ANN] Apache Tomcat 11.0.18 Available Mark Thomas
• [ANNOUNCE] Apache Pulsar Client C++ 4.0.1 released Yunze Xu
• [ANN] Apache Tomcat 10.1.52 Available Christopher Schultz
• [ANNOUNCE] Apache MINA SSHD 2.17.1 released Thomas Wolf
• [ANNOUNCE] Apache Arrow 23.0.0 released Raúl Cumplido
• [ANNOUNCE] Apache Groovy 5.0.4 Released Paul King
• [ANNOUNCE] Apache Grails 7.0.6 James Daugherty
• [ANNOUNCE] Apache bRPC 1.16.0 released Xiaofeng
• CVE-2016-15057: Apache Continuum: Command injection leading to RCE Arnout Engelen
• https://karaf.apache.org/security/cve-2026-24656.txt: CVE-2026-24656: Apache Karaf: Decanter log-socket collector has deserialization vulnerability Jean-Baptiste Onofré
• [ANNOUNCE] Apache NiFi API 2.6.0 Released Pierre Villard
• [ANNOUNCE] Apache Artemis 2.50.0 Released Justin Bertram
• CVE-2025-27821: HDFS native client: Out of bounds write in URI parser of native HDFS client Chris Nauroth
• [ANNOUNCE] Apache Qpid JMS 2.10.0 released Robbie Gemmell
• [ANNOUNCE] Apache Qpid JMS 1.16.0 released Robbie Gemmell
• [ANN] Apache Tomcat 9.0.115 available Rémy Maucherat
• [ANNOUNCE] Apache Commons BCEL Version 6.12.0 Gary Gregory
• [ANNOUNCE] Apache MINA SSHD 2.17.0 released Thomas Wolf
• [ANNOUNCE] Apache Airflow Providers prepared on 2026-01-17 are released Jens Scheffler
• [ANNOUNCE] Apache Groovy 4.0.30 Released Paul King
• CVE-2026-22444: Apache Solr: Insufficient file-access checking in standalone core-creation requests Jason Gerlowski
• CVE-2026-22022: Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin Jason Gerlowski
• [ANNOUNCE] Apache OFBiz 24.09.05 released Nicolas Malin
• [ANNOUNCE] Apache IoTDB 2.0.6 released Haonan Hou
• [ANNOUNCE] Apache Airflow Providers prepared on 2026-01-13 are released Jens Scheffler
• [ANNOUNCE] Apache Jackrabbit 2.22.3 released Julian Reschke
• [ANNOUNCE] Apache Qpid protonj2 1.1.0 released Timothy Bish
• CVE-2025-60021: Apache bRPC: Remote command injection vulnerability in heap builtin service Guangming Chen
• CVE-2025-68675: Apache Airflow: proxy credentials for various providers might leak in task logs Ephraim Anierobi
• CVE-2025-68438: Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated Ephraim Anierobi
• [ANNOUNCE] Apache DataSketches Rust 0.2.0 Released tison
• [ANNOUNCE] Apache Airflow 3.1.6 Released Ephraim Anierobi
• CVE-2025-66169: Apache Camel: Cypher injection vulnerability in Camel-Neo4j component Andrea Cosentino
• [ANNOUNCE] Apache Flink-shaded 21.0 released Martijn Visser
• [ANNOUNCE] Apache Grails 7.0.5 James Fredley
• [ANNOUNCE] Grails Publish Gradle Plugin 0.0.4 James Fredley
• [ANNOUNCE] Apache Camel 4.17.0 Released Gregor Zurowski
• [ANN] Apache Tomcat Native 1.3.4 released Mark Thomas
• [ANN] Apache Tomcat Native 2.0.12 released Mark Thomas
• S2-069: CVE-2025-68493: Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component Lukasz Lenart
• [ANNOUNCE] Apache Camel 4.14.4 (LTS) Released Gregor Zurowski
• [ANNOUNCE] Apache Kudu 1.18.1 Released Abhishek Chennaka
• [ANNOUNCE] Apache Fineract 1.14.0 Release Adam Monsen
• [ANNOUNCE] Apache IoTDB 1.3.6 released Haonan Hou
• [ANNOUNCE] Apache Jackrabbit Oak 1.90.0 released Jörg Hoh
• CVE-2025-62235: Apache NimBLE: Incorrect handling of SMP Security Request could lead to undesirable pairing Szymon Janc
• CVE-2025-53477: Apache NimBLE: NULL Pointer Dereference in NimBLE host HCI layer Szymon Janc
• CVE-2025-53470: Apache NimBLE: Out-of-Bounds Write Vulnerability in NimBLE HCI H4 driver Szymon Janc
• CVE-2025-52435: Apache NimBLE: Invalid error handling in pause encryption procedure in NimBLE controller Szymon Janc
• CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability Martin Desruisseaux
• [ANNOUNCE] Apache Fory 0.14.1 released Shawn Yang
• CVE-2025-66518: Apache Kyuubi: Unauthorized directory access due to missing path normalization Akira Ajisaka
• [ANNOUNCE] Apache Airflow Providers prepared on 2025-12-30 are released Shahar Epstein
• Apache Commons Pool 2.13.1 Gary Gregory
• [ANNOUNCE] Apache Kyuubi v1.10.3 is available Akira Ajisaka
• [ANNOUNCE] Apache Camel 4.14.3 (LTS) Released Gregor Zurowski
• [ANNOUNCE] Apache Kyuubi v1.11.0 is available Cheng Pan
• [ANNOUNCE] Apache EventMesh 1.12.0 available mikexue
• [ANNOUNCE] Apache TsFile 2.2.0 released Haonan Hou
• CVE-2025-48769: Apache NuttX RTOS: fs/vfs/fs_rename: use after free Tomasz Cedro
• CVE-2025-48768: Apache NuttX RTOS: fs/inode: fs_inoderemove root inode removal Tomasz Cedro
• [ANNOUNCE] Apache Pulsar Node.js client 1.16.0 released Baodi Shi
• CVE-2025-47411: Apache StreamPipes: Leverage of User ID for Privilege Escalation Philipp Zehnder

• Earlier messages